Cybersecurity , ID & Access Management , Risk Assessments
Presidential Cybersecurity Commission Issues 100-Page Report President-elect Donald Trump and President Barack Obama meet in the Oval Office last month. (White House photo)Acknowledging the urgent IT security challenges the nation faces, a cybersecurity commission named by President Barack Obama encourages the incoming administration to adopt some of its recommendations in the first 100 days of Donald Trump's presidency.
See Also: Mitigate Risks and Protect Your Users from Cyberattacks, Avoid the Yahoo Data Breach
"The urgency of the situation demands that the next administration move forward promptly on our recommendations, working closely with Congress and the private sector," the commission's co-chairmen, former White House National Security Adviser Thomas Donilon and former IBM Chief Executive Samuel Palmisano, said in a letter introducing the report.
The Commission on Enhancing National Cybersecurity, formed last February by Obama (see Former National Security Adviser, Ex-IBM CEO to Head Obama's Cybersecurity Panel), issued a report on Dec. 2 that includes six major imperatives that contain 16 recommendations and 53 associated action items aimed to secure and grow the digital economy.
Despite the Obama administration making cybersecurity a major priority, as evidenced by the creation of the commission, the federal government has been victimized by a series of cyberattacks, including the breach of computers at the Office of Personnel Management, which exposed the personal information of 21.5 million individuals.
Major Goals
The imperatives detailed in the 100-page report are aimed to:
Protect, defend and secure today's information infrastructure and digital networks. Innovate and accelerate investment for the security and growth of digital networks and the digital economy. Prepare consumers to thrive in a digital age. Build cybersecurity workforce capabilities. Better equip government to function effectively and securely in the digital age. Ensure an open, fair, competitive and secure global digital economy.The commission report says tackling the cybersecurity challenge requires public-private cooperation: "Every enterprise in our society - large and small companies, government at all levels, educational institutions, and individuals - must be more purposefully and effectively engaged in addressing cyber risks. They must be equipped to understand the role they play in their own security and how their actions directly impact the cybersecurity of the nation more broadly."
Obama, Industry React
Obama, in a statement, characterizes the commission's recommendations as "thoughtful and pragmatic." He says he asked the commission to brief President-elect Trump's transition as soon as possible, and calls on Congress to fully fund urgent cybersecurity needs before adjourning, a highly unlikely move in a lame-duck session that has only weeks left.
"We have the opportunity to change the balance further in our favor in cyberspace - but only if we take additional bold action to do so," Obama says. "My administration has made considerable progress in this regard over the last eight years. Now it is time for the next administration to take up this charge and ensure that cyberspace can continue to be the driver for prosperity, innovation and change - both in the United States and around the world."
Initial reaction from the private sector was positive. Larry Clinton, president of the industry group Internet Security Alliance, praised the commission for encouraging the use incentives over regulation to get businesses to adopt best security practices.
"Cyber regulation is an area where, at this stage, less is more," Clinton says. "... Inconsistent regulations are diverting scarce cyber resources to unhelpful, check the box, compliance regimes. The commission's call to harmonize these regulations and reduce costs while calling on the private sector to develop better assessment methods are all steps we enthusiastically embrace."
Ryan Gillis, vice president for cybersecurity strategy, at Palo Alto Networks, a network and enterprise security company, says the commission's report "deftly recognizes that cybersecurity is not purely a technical challenge, and that a more holistic approach is needed to preserve our digital way of life, and all the social and economic benefits that come from it.".
Enhancing Identify Management
Among the commission's recommendations is the formation of a national public-private initiative to improve digital identity management. "Strong identity management is key to much of what we do in the digital economy," the report says. "An ambitious but important goal for the next administration should be to see no major breaches by 2021 in which identity - especially the use of passwords - is the primary vector of attack. Achieving this goal will enhance consumer trust in online transaction, but it will require identity solutions that are secure, privacy-enhancing, efficient, usable, and interoperable. "
The panel also calls for the creation of a new civilian agency, or repurposing an existing one, to serve as a fully operational cybersecurity and critical infrastructure agency to administer a consolidated federal network. Legislation to do that, morphing the Department of Homeland Security's National Protection and Program Directorate into a cybersecurity agency within DHS, is stalled in Congress (see Overcoming Congressional Barriers on Cybersecurity Oversight).
Among the action plans the commission proposes is for the next administration to initiate a national cybersecurity workforce program to train 100,000 new cybersecurity practitioners by 2020. "Such a program - with a specific focus on local and regional partnerships of employers, educational institutions and community organizations - will help develop the skilled workforce necessary to meet the cybersecurity needs of local and regional industry," the report says.
'A Game Changer'
The commission also called for the securing of the internet of things. "This is a game changer because it takes the burden off the end users and places it on the engineers and manufacturers who design and create IoT products," says commission member Annie Antón, professor and chair of the Georgia Tech School of Interactive Computing.
Other recommendations and action plans focus on safeguarding critical infrastructure, improving security awareness, developing international cybersecurity norms and developing metrics for cybersecurity through a work group that would be coordinated by the National Institute of Standards and Technology.
"Most current efforts to measure cybersecurity effectiveness focus on the actions taken by an organization, rather than on those actions' effectiveness," the report states. "This group's work should help address that gap, offering quantifiable information that can be used to improve the [cybersecurity] framework and more precisely demonstrate where and how its use is most effective."
Metrics, the commission points out, could help insurers evolve their cybersecurity insurance offerings.